X

'SMiShing' fishes for personal data over cell phone

Mobile phone users are subject to the same types of phishing lures that they get through their e-mail, Sprint warns as 'SMiShing' attack makes the rounds.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

When we think of phishing attacks, in which scammers try to lure sensitive information out of Internet users, we think of fake official-looking e-mails and Web sites.

But you don't even need to be online to get phished. A phishing attack making the rounds tries to dupe cell phone users into revealing their personal data over the phone. It uses SMS messages, which makes it a "SMiShing" attempt.

It all starts with a spam text message purporting to be from a financial institution. In this case, it's from a source identified as KeyPoint Credit Union, warning that an account has been locked and providing an 888 phone number to "verify" the account, said a CNET News reader who received one of the spam text messages on his Sprint phone.

When the phone number is called, an automated message prompts for SocialSsecurity number, credit card number, and driver's license number, he said.

"Every carrier has seen it," Matt Sullivan, a Sprint spokesman, said on Tuesday. "We have filtering technology that we are constantly updating to try to weed out some of this."

Asked how spammers get hold of the phone numbers, Sullivan speculated that they are using a random auto-dialer. Even if only 1 percent of the people called expose their information, the SMiShers are successful, he said.

Customers can block specific numbers that keep calling, but for most spammers that isn't effective, as they usually take one shot at the phone number and then move on, Sullivan said.

Sprint has had a fraud alert on its Web site for about a year about SMiShing, but reports go back to at least 2006.